vlan on vr: one way traffic trouble

[Jacob Yocom-Piatt]

my firewall currently has a mobo-integrated vr0 interface with a vlan0 
on the same interface but HTTP connections traversing vr0->vlan0 hang 
while similar connections going vlan0->vr0 work fine. the firewall plugs 
into a managed vlan capable switch (linksys srw2024p) that accepts 
untagged (vlan id 1) packets and tagged (vlan id 2) packets. the 
"unreachable" machines are on other switch ports that are untagged on 
vlan id 2. machines on both vlans can pass through the firewall to the 
internet without event although there is only one way access when going 
between vr0 and vlan0.

from an ifconfig on the firewall:
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:00:5e:00:01:02
       carp: MASTER carpdev vr0 vhid 2 advbase 1 advskew 0
       groups: carp
       inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
       inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x11
...
vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:40:63:da:b0:6c
       media: Ethernet autoselect (100baseTX full-duplex)
       status: active
       inet6 fe80::240:63ff:feda:b06c%vr0 prefixlen 64 scopeid 0x1
       inet 10.0.0.252 netmask 0xffffff00 broadcast 10.0.0.255
...
vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1496
       lladdr 00:40:63:da:b0:6c
       vlan: 2 priority: 0 parent interface: vr0
       groups: vlan
       inet6 fe80::240:63ff:feda:b06c%vlan0 prefixlen 64 scopeid 0x7
       inet 10.100.0.1 netmask 0xffffff00 broadcast 10.100.0.255

vr0 routes 10.0.0/24 and vlan0 routes 10.100.0/24. maybe vlan0 should 
have carp0 as the parent interface? doesn't seem right...

relevant section of pf.conf is

int_if = "{ vr0 vlan0 carp1 }"
...
# int_if
pass on $int_if
pass on $int_if keep state flags S/SA

accessing file shares, etc, going vlan0->vr0 works fine but not in 
reverse. however, pings do work both ways.

word on the street is that vr is a bad driver for vlans, etc. would be 
nice to know if this is the culprit. in case it isn't i've got tcpdumps 
of traffic going both ways below. apologies if this is something stupid, 
i've wrestled with it for a while before posting. clues appreciated.

cheers,
jake

from vlan0 to vr0 (working)

# tcpdump -nvetti vr0 host 10.100.0.10 and port 80
tcpdump: listening on vr0, link-type EN10MB
1187233533.261780 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 66: 
10.100.0.10.49319 > 10.0.0.52.80: S [tcp sum ok] 843956930:843956930(0) 
win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 127, id 4227, 
len 52)
1187233533.262940 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 66: 10.0.0.52.80 > 
10.100.0.10.49319: S [tcp sum ok] 416178802:416178802(0) ack 843956931 
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0> (DF) (ttl 64, id 17732, 
len 52)
1187233533.263165 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 60: 
10.100.0.10.49319 > 10.0.0.52.80: . [tcp sum ok] ack 1 win 16425 (DF) 
(ttl 127, id 4229, len 40)
1187233533.263362 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 466: 
10.100.0.10.49319 > 10.0.0.52.80: P 1:413(412) ack 1 win 16425 (DF) (ttl 
127, id 4230, len 452)
1187233533.460898 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 60: 10.0.0.52.80 > 
10.100.0.10.49319: . [tcp sum ok] ack 413 win 17520 (DF) (ttl 64, id 
15961, len 40)
1187233533.518590 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1514: 10.0.0.52.80 > 
10.100.0.10.49319: . 1:1461(1460) ack 413 win 17520 (DF) (ttl 64, id 
19048, len 1500)
1187233533.518704 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1443: 10.0.0.52.80 > 
10.100.0.10.49319: P 1461:2850(1389) ack 413 win 17520 (DF) (ttl 64, id 
1543, len 1429)
1187233533.519189 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1510: 10.0.0.52.80 > 
10.100.0.10.49319: . 1:1457(1456) ack 413 win 17520 (DF) (ttl 64, id 
29413, len 1496)
1187233533.519297 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1447: 10.0.0.52.80 > 
10.100.0.10.49319: P 1457:2850(1393) ack 413 win 17520 (DF) (ttl 64, id 
32392, len 1433)
1187233533.519393 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 66: 
10.100.0.10.49319 > 10.0.0.52.80: . [tcp sum ok] ack 1 win 16425 
<nop,nop,sack 1 {1461:2850} > (DF) (ttl 127, id 4253, len 52)
1187233533.520025 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 66: 
10.100.0.10.49319 > 10.0.0.52.80: . [tcp sum ok] ack 2850 win 16425 
<nop,nop,sack 1 {1461:2850} > (DF) (ttl 127, id 4254, len 52)
1187233533.540792 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 66: 
10.100.0.10.49320 > 10.0.0.52.80: S [tcp sum ok] 190697552:190697552(0) 
win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 127, id 4257, 
len 52)
1187233533.540950 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 66: 10.0.0.52.80 > 
10.100.0.10.49320: S [tcp sum ok] 199713764:199713764(0) ack 190697553 
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0> (DF) (ttl 64, id 29408, 
len 52)
1187233533.541437 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 60: 
10.100.0.10.49320 > 10.0.0.52.80: . [tcp sum ok] ack 1 win 16425 (DF) 
(ttl 127, id 4258, len 40)
1187233533.541626 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 531: 
10.100.0.10.49320 > 10.0.0.52.80: P 1:478(477) ack 1 win 16425 (DF) (ttl 
127, id 4259, len 517)
1187233533.542513 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1510: 10.0.0.52.80 > 
10.100.0.10.49320: . 1:1457(1456) ack 478 win 17472 (DF) (ttl 64, id 
4255, len 1496)
1187233533.542632 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1510: 10.0.0.52.80 > 
10.100.0.10.49320: . 1457:2913(1456) ack 478 win 17472 (DF) (ttl 64, id 
3554, len 1496)
1187233533.542772 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1510: 10.0.0.52.80 > 
10.100.0.10.49320: . 2913:4369(1456) ack 478 win 17472 (DF) (ttl 64, id 
7234, len 1496)
1187233533.542885 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1510: 10.0.0.52.80 > 
10.100.0.10.49320: . 4369:5825(1456) ack 478 win 17472 (DF) (ttl 64, id 
7578, len 1496)
1187233533.543309 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 60: 
10.100.0.10.49320 > 10.0.0.52.80: . [tcp sum ok] ack 4369 win 16425 (DF) 
(ttl 127, id 4261, len 40)
1187233533.543790 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1510: 10.0.0.52.80 > 
10.100.0.10.49320: . 5825:7281(1456) ack 478 win 17472 (DF) (ttl 64, id 
28628, len 1496)
1187233533.543800 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 358: 10.0.0.52.80 > 
10.100.0.10.49320: P 7281:7585(304) ack 478 win 17472 (DF) (ttl 64, id 
2420, len 344)
1187233533.544426 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 60: 
10.100.0.10.49320 > 10.0.0.52.80: . [tcp sum ok] ack 7585 win 16425 (DF) 
(ttl 127, id 4262, len 40)
1187233533.581063 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 60: 10.0.0.52.80 > 
10.100.0.10.49319: P [tcp sum ok] 2850:2855(5) ack 413 win 17520 (DF) 
(ttl 64, id 14070, len 45)
1187233533.602364 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 503: 
10.100.0.10.49320 > 10.0.0.52.80: P 478:927(449) ack 7585 win 16425 (DF) 
(ttl 127, id 4270, len 489)
1187233533.603278 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1510: 10.0.0.52.80 > 
10.100.0.10.49320: . 7585:9041(1456) ack 927 win 17472 (DF) (ttl 64, id 
30297, len 1496)
1187233533.603393 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1510: 10.0.0.52.80 > 
10.100.0.10.49320: . 9041:10497(1456) ack 927 win 17472 (DF) (ttl 64, id 
26453, len 1496)
1187233533.603472 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 773: 10.0.0.52.80 > 
10.100.0.10.49320: P 10497:11216(719) ack 927 win 17472 (DF) (ttl 64, id 
7453, len 759)
1187233533.603913 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 60: 
10.100.0.10.49320 > 10.0.0.52.80: . [tcp sum ok] ack 11216 win 16425 
(DF) (ttl 127, id 4271, len 40)
1187233533.612861 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 542: 
10.100.0.10.49319 > 10.0.0.52.80: P 413:901(488) ack 2855 win 16423 (DF) 
(ttl 127, id 4272, len 528)
1187233533.613539 0:4:5a:71:18:b1 0:0:5e:0:1:2 0800 1418: 10.0.0.52.80 > 
10.100.0.10.49319: P 2855:4219(1364) ack 901 win 17520 (DF) (ttl 64, id 
6397, len 1404)
1187233533.816848 0:40:63:da:b0:6c 0:4:5a:71:18:b1 0800 60: 
10.100.0.10.49319 > 10.0.0.52.80: . [tcp sum ok] ack 4219 win 16082 (DF) 
(ttl 127, id 4294, len 40)

from vr0 to vlan0 (broken)

# tcpdump -nvetti vr0 host 10.100.0.2 and port 80 
tcpdump: listening on vr0, link-type EN10MB
1187233591.419210 0:11:43:3c:6:5b 0:0:5e:0:1:2 0800 78: 10.0.0.112.23903 
> 10.100.0.2.80: S [tcp sum ok] 754931413:754931413(0) win 16384 <mss 
1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1340177160 0> (DF) 
(ttl 64, id 32824, len 64)
1187233591.424224 0:40:63:da:b0:6c 0:11:43:3c:6:5b 0800 74: 
10.100.0.2.80 > 10.0.0.112.23903: S [tcp sum ok] 
2845583953:2845583953(0) ack 754931414 win 5792 <mss 
1460,sackOK,timestamp 2291482 1340177160,nop,wscale 2> (DF) (ttl 63, id 
0, len 60)
1187233591.424426 0:11:43:3c:6:5b 0:0:5e:0:1:2 0800 66: 10.0.0.112.23903 
> 10.100.0.2.80: . [tcp sum ok] ack 1 win 16384 <nop,nop,timestamp 
1340177160 2291482> (DF) (ttl 64, id 43124, len 52)
1187233591.478895 0:11:43:3c:6:5b 0:0:5e:0:1:2 0800 462: 
10.0.0.112.23903 > 10.100.0.2.80: P 1:397(396) ack 1 win 16384 
<nop,nop,timestamp 1340177160 2291482> (DF) (ttl 64, id 51922, len 448)
1187233591.482317 0:40:63:da:b0:6c 0:11:43:3c:6:5b 0800 66: 
10.100.0.2.80 > 10.0.0.112.23903: . [tcp sum ok] ack 397 win 1716 
<nop,nop,timestamp 2291488 1340177160> (DF) (ttl 63, id 56649, len 52)
1187233591.580563 0:40:63:da:b0:6c 0:11:43:3c:6:5b 0800 86: 
10.100.0.2.80 > 10.0.0.112.23903: P [tcp sum ok] 1:21(20) ack 397 win 
1716 <nop,nop,timestamp 2291496 1340177160> (DF) (ttl 63, id 56651, len 72)
1187233591.582142 0:40:63:da:b0:6c 0:11:43:3c:6:5b 0800 480: 
10.100.0.2.80 > 10.0.0.112.23903: FP 21:435(414) ack 397 win 1716 
<nop,nop,timestamp 2291498 1340177160> (DF) (ttl 63, id 56653, len 466)
1187233591.582383 0:11:43:3c:6:5b 0:0:5e:0:1:2 0800 66: 10.0.0.112.23903 
> 10.100.0.2.80: . [tcp sum ok] ack 436 win 15970 <nop,nop,timestamp 
1340177161 2291496> (DF) (ttl 64, id 47907, len 52)
1187233591.582783 0:11:43:3c:6:5b 0:0:5e:0:1:2 0800 66: 10.0.0.112.23903 
> 10.100.0.2.80: F [tcp sum ok] 397:397(0) ack 436 win 16384 
<nop,nop,timestamp 1340177161 2291496> (DF) (ttl 64, id 39164, len 52)
1187233591.583124 0:40:63:da:b0:6c 0:11:43:3c:6:5b 0800 66: 
10.100.0.2.80 > 10.0.0.112.23903: . [tcp sum ok] ack 398 win 1716 
<nop,nop,timestamp 2291498 1340177161> (DF) (ttl 63, id 48, len 52)
1187233592.363642 0:11:43:3c:6:5b 0:0:5e:0:1:2 0800 78: 10.0.0.112.26654 
> 10.100.0.2.80: S [tcp sum ok] 304955285:304955285(0) win 16384 <mss 
1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3632290553 0> (DF) 
(ttl 64, id 59264, len 64)
1187233592.364240 0:40:63:da:b0:6c 0:11:43:3c:6:5b 0800 74: 
10.100.0.2.80 > 10.0.0.112.26654: S [tcp sum ok] 
2845358557:2845358557(0) ack 304955286 win 5792 <mss 
1460,sackOK,timestamp 2291577 3632290553,nop,wscale 2> (DF) (ttl 63, id 
0, len 60)
1187233592.364493 0:11:43:3c:6:5b 0:0:5e:0:1:2 0800 66: 10.0.0.112.26654 
> 10.100.0.2.80: . [tcp sum ok] ack 1 win 16384 <nop,nop,timestamp 
3632290553 2291577> (DF) (ttl 64, id 61744, len 52)
1187233592.372377 0:11:43:3c:6:5b 0:0:5e:0:1:2 0800 484: 
10.0.0.112.26654 > 10.100.0.2.80: P 1:419(418) ack 1 win 16384 
<nop,nop,timestamp 3632290553 2291577> (DF) (ttl 64, id 43427, len 470)
1187233592.373262 0:40:63:da:b0:6c 0:11:43:3c:6:5b 0800 66: 
10.100.0.2.80 > 10.0.0.112.26654: . [tcp sum ok] ack 419 win 1716 
<nop,nop,timestamp 2291577 3632290553> (DF) (ttl 63, id 20135, len 52)
1187233594.374554 0:40:63:da:b0:6c 0:11:43:3c:6:5b 0800 1402: 
10.100.0.2.80 > 10.0.0.112.26654: FP 4345:5681(1336) ack 419 win 1716 
<nop,nop,timestamp 2291778 3632290553> (DF) (ttl 63, id 20149, len 1388)
1187233594.374922 0:11:43:3c:6:5b 0:0:5e:0:1:2 0800 78: 10.0.0.112.26654 
> 10.100.0.2.80: . [tcp sum ok] ack 1 win 16384 <nop,nop,timestamp 
3632290557 2291577,nop,nop,sack 1 {4345:5681} > (DF) (ttl 64, id 55935, 
len 64)

--